ROX-10613: Use ubi-minimal for scanner-db #956
Conversation
|
I guess to test it we need to first merge openshift/release#32848 |
janisz
force-pushed
the
ubi-minimal-scanner-db
branch
from
e3939da to
16427de
Compare
There was a problem hiding this comment.
I gave this a try, because I wanted to see whether local arm64 builds would still work with these changes.
And it seems that they don't. I'm running into a similar issue like here:
https://github.com/stackrox/stackrox/blob/989dbbaca060d22745d03e75f427e5841d0d3d5c/image/postgres/create-bundle.sh#L36
But I can't make the same workaround as @connorgorman did, because microdnf doesn't implement the --nogpgcheck option.
This is just FYI, I guess arm builds are not very important atm.
janisz
force-pushed
the
ubi-minimal-scanner-db
branch
from
a9f7976 to
39b6c1e
Compare
|
@vladbologa Thanks for testing. Could you try now? |
image/db/rhel/Dockerfile
Outdated
| @@ -25,18 +25,27 @@ COPY --from=extracted_bundle /bundle/etc/postgresql.conf /bundle/etc/pg_hba.conf | |||
|
|
|||
| ARG POSTGRESQL_ARCH=x86_64 | |||
|
|
|||
| RUN groupadd -g 70 postgres && \ | |||
| RUN curl -sSLf https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-${POSTGRESQL_ARCH}/pgdg-redhat-repo-latest.noarch.rpm -o /tmp/pg_repo.rpm && \ | |||
There was a problem hiding this comment.
how come we removed the gpg key import? I think it'd still be best to keep that. Perhaps just for x86_64?
There was a problem hiding this comment.
Previously we don't need that and it's in repo definition rpm so I think we don't need to add it manually. Something is broken with arm package I think it's build with different gpg key then used to sign.
There was a problem hiding this comment.
Can we re-add it here just for x86_64 prior to rpm -i /tmp/pg_repo.rpm to remove the warning that's generated?
|
Let's keep the gpg key check for x86_64. We can keep it out for aarch64 since that's just for dev purposes (though let's also add a comment saying we are skipping it due to the fact it's just for dev purposes) |
|
✔️ Let's keep the gpg key check for x86_64. |
|
@RTann ping |
There was a problem hiding this comment.
Confirmed the change has been made as expected between both files:
$ diff -du image/db/rhel/Dockerfile image/db/rhel/Dockerfile.slim
--- image/db/rhel/Dockerfile 2022-10-24 11:30:22.000000000 -0700
+++ image/db/rhel/Dockerfile.slim 2022-10-24 11:30:22.000000000 -0700
@@ -10,7 +10,7 @@
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base
-LABEL name="scanner-db" \
+LABEL name="scanner-db-slim" \
vendor="StackRox" \
maintainer="support@stackrox.com" \
summary="Image scanner database for the StackRox Kubernetes Security Platform" \
@@ -57,7 +57,7 @@
# This is equivalent to postgres:postgres.
USER 70:70
-COPY --from=extracted_bundle /bundle/docker-entrypoint-initdb.d/definitions.sql.gz /docker-entrypoint-initdb.d/
+ENV ROX_SLIM_MODE="true"
ENTRYPOINT ["docker-entrypoint.sh"]
|
@janisz it looks like you'll need to rebase for CI to pass |
|
Are you sure. I think we need to merge osci release config change first and then CI will pass. |
that, too, but |
Co-authored-by: Vlad Bologa <vbologa@redhat.com>
Co-authored-by: Vlad Bologa <vbologa@redhat.com>
janisz
force-pushed
the
ubi-minimal-scanner-db
branch
from
10d5447 to
5b6b31e
Compare
|
Rebased |
* Use ubi-minimal for scanner-db Refs: stackrox/scanner#956 * Update stackrox-scanner-master.yaml * Update stackrox-scanner-master.yaml * Update stackrox-scanner-master.yaml
|
/retest |
|
Images are ready for the commit at 5b6b31e. To use the images, use the tag |
|
@janisz: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Refs: https://stackoverflow.com/a/68217042/1387612
Tests: openshift/release#32858
OSCI: openshift/release#32848